Judge Throws Out Hospital Data-Hack Case

HOUSTON (CN) – The “heightened risk of future identity theft” is not enough to establish standing for a woman to sue a hospital system that let hackers compromise her private data, a federal judge ruled. St. Joseph Health System, a Texas hospital and health clinic operator, said in February 2014 that hackers had breached its computer system two months earlier, gaining access to the private data of 405,000 patients and employees. Though St. Joseph said it was not aware that the breach had led to any identity thefts, it paid for a year of credit monitoring and identity theft protection for all the potential victims. But St. Joseph’s cleanup efforts did not allay the fears of patient Beverly Peters. She filed a class action against St. Joseph in March 2014. As with all its patients, the hospital system stored Peters’ Social Security number, birth date, address, medical records and bank account information on its computer network. Peters claimed the hackers put her data on the Internet for third parties to use as they pleased. She said she tracked the hack to a fraudulent purchase on her Discover card, an effort to gain access to her Amazon account, a daily barrage of telephone solicitations by medical products and service companies, and spam sent from her compromised Yahoo email account. St. Joseph sought to dismiss the case, claiming Peters had not suffered an injury traceable to the data breach, and that even if she established causation she had not proved any quantifiable damage or loss from the hack. U.S. District Judge Kenneth Hoyt took St. Joseph’s side on Wednesday and dismissed the lawsuit. Hoyt said that Peters’ identity-theft issues had been resolved. “Discover never charged her for the fraudulent purchase identified in the complaint and closed her account to prevent future fraud,” Hoyt wrote. “Upon discovery that her Yahoo email account had been compromised, Peters changed her password. The complaint contains no allegations that her email contacts continue to receive voluminous spam email from her account since she took this proactive measure.” Hoyt cited the U.S. Supreme Court ruling in Clapper v. Amnesty International USA. In it, reporters, attorneys and the human rights group challenged part of the Foreign Intelligence Surveillance Act of 1978 that allows the U.S. government to intercept communications from foreigners outside the States. Those plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. The Clapper plaintiffs argued: “There [was] an objectively reasonable likelihood that their communication with their foreign contacts will be intercepted under [FISA] at some point in the future.” The Supreme Court tossed the case, finding the plaintiffs had not established the threat of government surveillance was “certainly impending.” Hoyt relied on that reasoning in rejecting Peters’ claims. “Under Clapper, Peters must at least plausibly establish a ‘certainly impending’ or ‘substantial’ risk that she will be victimized. The allegation that risk has been increased does not transform that assertion into a cognizable injury,” Hoyt wrote in a 15-page order. He dismissed Peters’ federal claims with prejudice. He dismissed her state law claims without prejudice and gave her 30 days to amend them in state court. Peters’ attorney, Jason Webster of Houston, was not immediately available to comment.